NSA/GCHQ Hacking Gets Personal: Belgian Cryptographer Targeted

The Belgacom breach was revealed in top secret NSA and GCHQ documents leaked by Edward Snowden implicating GCHQ. Last week Snowden warned German television company ARD that the NSA doesn't just hack companies, but also targets individuals. Now it appears that Quisquater is the first known example of such personal targeting.

The breach was discovered by the Belgian authorities investigating the Belgacom hack. They informed Quisquater who has since lodged a formal complaint. “The Belgian federal police (FCCU) sent me a warning about this attack and did the analysis,” Quisquater told Gigaom by email. As for the purpose of the hack: “We don’t know. There are many hypotheses (about 12 or 15) but it is certainly an industrial espionage plus a surveillance of people working about civilian cryptography.”

The attack method has some similarities to the Belgacom hack in that LinkedIn was the lure. With Belgacom it was a quantum insert attack. With Quisquater, which appears to have happened six years ago, it was more traditional spear-phishing. He received a fake LinkedIn invite from a non-existent person in the European patent office (Quisquater holds 17 patents). This dropped a variant of the MiniDuke malware which covertly opens a backdoor onto the infected computer.

A year ago Kaspersky Lab uncovered a MiniDuke campaign that appears to be a clear cyber espionage attack against "governments of Ireland, Romania, Portugal, Belgium and the Czech Republic."

The Quisquater hack appears to pre-date the Belgacom attack by several years. Top secret documents leaked in early January show how the NSA's Tailored Access Operations (TAO) group progressed from email-based hacking (as in Quisquater) to its quantum insert method (as in the more recent Belgacom hack). "Certain QUANTUM missions have a success rate of as high as 80%, where spam is less than 1%," one internal NSA presentation states.

Although there is no specific statement that either the NSA or GCHQ is thought to be responsible, that is the clear implication. Where this differs from NSA and GCHQ justifications for their internet surveillance is that it is difficult to see a cryptography professor as a potential terrorist or threat to national security. This would appear to be simple espionage designed to aid the intelligence agencies' attempts to crack the world's encryption algorithms.

"It seems clear to me," comments security expert Graham Cluley, "that anyone working in cryptography research now needs to consider themselves a potential target for state-sponsored cyber-attack, even from countries who you might consider to be on the same side as you."